Information security and privacy is built into Scribe’s growth, mission and vision. Alongside vulnerability scanning, penetration testing, access control, encryption and data privacy measures, Scribe successfully went through a SOC 2 Type II audit. In fact, we’re one of the few Series A-stage startups to undergo successful audits so early in the life of the company. This audit tested Scribe’s information security programs’ effectiveness of controls upholding the AICPA’s Trust Services Criteria of security.
We are tirelessly committed to protection of your data and your privacy. Scribe’s information security and privacy controls are detailed below.
Have questions or feedback? Feel free to reach out to us at [email protected].
All data is encrypted in transit and at rest to ensure protection of your data and privacy.
Employee access to the environment in which customer data is stored is granted on a least permissions basis, highly restricted and monitored.
Alongside Scribe’s infrastructure-based protection measures, we provide users with authentication and SSO integration capabilities.
All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider.
We offer HIPAA BAA agreements to enterprise companies that need to comply with HIPAA regulations. Scribe’s data privacy and information security measures assist in supporting customer requirements for HIPAA compliance.
Scribe has successfully passed SOC 2 Type II audits. Scribe's SOC 2 Type II report is available upon execution of an NDA. Please contact [email protected] for Scribe's SOC 2 Type II report.
This certification means that an independent auditor has evaluated our product, infrastructure and policies, and certifies that we meet or exceed specific levels of controls and processes for the security of user data.
In addition, we have purchased third-party software that continuously monitors our infrastructure and ensures we are in compliance with our stated policies and procedures.
All of our hosted services run in the cloud. Our cloud environment is protected by intrusion detection and prevention systems with alerting and monitoring in place. We do not host or run our own routers, load balancers, DNS servers or physical servers. We use Amazon Web Services (AWS) and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here.
Users may request to have their data deleted at any time by writing to [email protected]. Please allow 30 days to process your request.
Scribe has redundant data center zones in place with failover capabilities to ensure availability of services and data. Scribe’s RTO is 8 hours and RPO is 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss.
Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.
You can report vulnerabilities by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.
Scribe can support customer requirements for HIPAA. We are also willing to execute BAAs to support customers with HIPAA-related requirements. Users may redact any sensitive information such as PHI that’s recorded, and if customers upgrade to Enterprise, they can enable Smart Privacy Screen to automatically redact sensitive information. This can be enabled at the administrator level such that employees cannot disable Smart Privacy Screen.
If we have an executed Mutual Non-disclosure Agreement in place, yes. We are happy to execute our customers’ MNDAs (just ensure it is actually mutual and not a one way NDA - send to [email protected] if you have trouble figuring out if it’s mutual).
In short, for functionality. For Scribe to be able to capture processes for users, the application and plugin have to read actions on webpages such as clicks and keystrokes. Scribe only collects user actions when directed by the user to capture. No browsing information is sent if the user doesn’t interact with the browser extension. Users may turn off the plugin or application at any time. Please refer to Scribe’s Privacy Policy for more information on what we collect and why we collect it: https://scribehow.com/privacy/